httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zhumabekov Yerden <>
Subject Re: Restricting access by arbitrary certificate extension
Date Fri, 29 May 2009 16:08:59 GMT
Dr Stephen Henson пишет:

> Zhumabekov Yerden wrote:
>> Let me explain. Imagine some information system, which authorizes users
>> by examinig
>> their certificates for existence of some certain OID. If you look
>> through modssl
>> configuration, you would see that there is no way for apache to
>> authorize users like that.
>> The only thing modssl proposes is to make use of OID() directive, which
>> is not useful
>> since, as you said above, the value of this extension can have some
>> complex structure.
>> And if this OID does not have corresponding NID, using the OID()
>> directive in
>> http-ssl.conf makes no sense at all. Just look through the code and you
>> will understand.
> You mean an extension which contains a specific OID as its value?
No, I just want to check if the user certificate
contains extension _using_ its OID.

OID() function (the one implemented in modssl)
can only extract the values of certificate
extension which is familiar to openssl.

For example, let you have some arbitrary
extension and its OID is "". Since
OpenSSL doesn't have this OID listed in its
header files, it will not be able to read
the value of this extension in certificate.

But, if you supply

SSLRequire "some string in my extension" in OID("")

normally, mod_ssl will say "there is no such
extension in certificate, _because_ I cannot
read it" instead of "there is extension of
this OID in certificate, _but_ I cannot read

I just want to have some directive in
configuration file which is useful to
check _if_ the extension of certain OID
is present in user's supplied certificate.
That's simple, but mod_ssl cannot do
that simple check.

>> ogically speaking, this kind of check looks much easier to understand
>> than the existing
>> syntax proposed by modssl which makes no sense in many cases, just as
>> you have
>> stated before. I wonder why it's still not implemented in modssl.
> The code looks a little unusual to me. The loop could be simplified by use of
> X509_get_ext_by_OBJ() and avoid the direct structure access of ext->obj or just
> use of X509_EXTENSION_get_object(). The variable oid needs to be freed otherwise
> it will leak memory if the object doesn't have a corresponding NID.
> Machine parsing human readable text output has the usual disclaimers. You'd
> better be *very* sure string tricks can't trip you up.
Thanks for suggestions.

Yerden Zhumabekov

View raw message